KWallet and SSH-Agent

During a normal KDE session one has to enter a lot of passwords. One password to open the session. A password is required to open the wallet. Passwords are required to sign emails. SSH sessions need passwords or one has to enter the passphrase to add the key to ssh-agent.

This short article shows how to get rid of the neccessity to enter one of these passwords. If you are using ssh with ssh-agent, it is possible to store the passphrase for SSH in a KWallet wallet. Therefore only the password for opening the wallet needs to be supplied. Additionally you are able to use a really cryptic passphrase for your SSH key, because it is now entered by KWallet.

I expect that you know what you do when you use the setup I describe here and that you know the security implications. If you do not know them do not use this setup.

I assume that you have already created your ssh keys and that the passphrase for the private key is really strong. I also assume that you have ssh-agent running as this is the case for a modern distribution.

1. Askpass program

Download the following program that fetches your password from KWallet and passes is to ssh-add. Compile it and store it in an appropriate place. I have used $HOME/.local/bin/askpass.

Source code for the KWallet askpass program

QMake file used on OpenSuse 11.2, 11.3, 11.4 and 12.1

The code has been tested on KDE 4.3.5 and 4.7.2 but it should work for all KDE4 versions with KWallet. There is also a version for KDE 3: Source code

2. Autostart script

To add your SSH key to ssh-agent during KDE startup create a file in .kde/Autostart (on some distributions .kde4/Autostart. Look at your paths in systemsettings) with a name like ssh-add.sh and make it executable. Figure 1 shows the script.

#!/bin/sh export SSH_ASKPASS=$HOME/.local/bin/askpass /usr/bin/ssh-add
Figure 1: ssh-add.sh

In the second line of the script the variable SSH_ASKPASS is exported to the path to the program that fetches the password for the key from KWallet. Use the appropriate path for your system.

3. Create the password in KWallet

The last step is to create a folder with the name "SSH Askpass" in your default wallet and a password in it with the key "ssh-key". The password that you store in the key is the passphrase that is used to unlock your private SSH key. If you do not like the Names of the folder or the entry just change the source code.

4. Login into a new session

Start a new KDE session. During startup you should be asked for your KWallet password. If everything went fine your password has been added to ssh-agent and you can use passwordless SSH. If there is an error look into your ~/.xession-errors or try to execute the askpass program standalone with the argument "Enter passphrase for".

Final notes

If you find errors on the page or in the program, or if you have suggestions, remarks, critics, do not hesitate to contact me. Email: kde-ssh@pontohonk.de

Written by Christoph Bartoschek